PNG  IHDR* pHYs+ IDATx]n#; cdLb Ǚ[at¤_:uP}>!Usă cag޿ ֵNu`ݼTâabO7uL&y^wFٝA"l[|ŲHLN밪4*sG3|Dv}?+y߉{OuOAt4Jj.u]Gz*҉sP'VQKbA1u\`& Af;HWj hsO;ogTu uj7S3/QzUr&wS`M$X_L7r2;aE+ώ%vikDA:dR+%KzƉo>eOth$z%: :{WwaQ:wz%4foɹE[9<]#ERINƻv溂E%P1i01 |Jvҗ&{b?9g=^wζXn/lK::90KwrюO\!ջ3uzuGv^;騢wq<Iatv09:tt~hEG`v;3@MNZD.1]L:{ծI3`L(÷ba")Y.iljCɄae#I"1 `3*Bdz>j<fU40⨬%O$3cGt]j%Fߠ_twJ;ABU8vP3uEԑwQ V:h%))LfraqX-ۿX]v-\9I gl8tzX ]ecm)-cgʒ#Uw=Wlێn(0hPP/ӨtQ“&J35 $=]r1{tLuǮ*i0_;NƝ8;-vݏr8+U-kruȕYr0RnC]*ެ(M:]gE;{]tg(#ZJ9y>utRDRMdr9㪩̞zֹb<ģ&wzJM"iI( .ꮅX)Qw:9,i좜\Ԛi7&N0:asϓc];=ΗOӣ APqz93 y $)A*kVHZwBƺnWNaby>XMN*45~ղM6Nvm;A=jֲ.~1}(9`KJ/V F9[=`~[;sRuk]rєT!)iQO)Y$V ی ۤmzWz5IM Zb )ˆC`6 rRa}qNmUfDsWuˤV{ Pݝ'=Kֳbg,UҘVz2ﴻnjNgBb{? ߮tcsͻQuxVCIY۠:(V뺕 ٥2;t`@Fo{Z9`;]wMzU~%UA蛚dI vGq\r82iu +St`cR.6U/M9IENDB` REDROOM
REDROOM
PHP 5.6.40
Preview: cc_ca_certs.py Size: 9.13 KB
//lib/python3.6/site-packages/cloudinit/config/cc_ca_certs.py
# Author: Mike Milner <mike.milner@canonical.com>
#
# This file is part of cloud-init. See LICENSE file for license information.

"""CA Certs: Add ca certificates."""

import logging
import os
from textwrap import dedent

from cloudinit import subp, util
from cloudinit.cloud import Cloud
from cloudinit.config import Config
from cloudinit.config.schema import MetaSchema, get_meta_doc
from cloudinit.settings import PER_INSTANCE

LOG = logging.getLogger(__name__)

DEFAULT_CONFIG = {
    "ca_cert_path": None,
    "ca_cert_local_path": "/usr/local/share/ca-certificates/",
    "ca_cert_filename": "cloud-init-ca-cert-{cert_index}.crt",
    "ca_cert_config": "/etc/ca-certificates.conf",
    "ca_cert_update_cmd": ["update-ca-certificates"],
}
DISTRO_OVERRIDES = {
    "fedora": {
        "ca_cert_path": "/etc/pki/ca-trust/",
        "ca_cert_local_path": "/usr/share/pki/ca-trust-source/",
        "ca_cert_filename": "anchors/cloud-init-ca-cert-{cert_index}.crt",
        "ca_cert_config": None,
        "ca_cert_update_cmd": ["update-ca-trust"],
    },
    "rhel": {
        "ca_cert_path": "/etc/pki/ca-trust/",
        "ca_cert_local_path": "/usr/share/pki/ca-trust-source/",
        "ca_cert_filename": "anchors/cloud-init-ca-cert-{cert_index}.crt",
        "ca_cert_config": None,
        "ca_cert_update_cmd": ["update-ca-trust"],
    },
    "opensuse": {
        "ca_cert_path": "/etc/pki/trust/",
        "ca_cert_local_path": "/usr/share/pki/trust/",
        "ca_cert_filename": "anchors/cloud-init-ca-cert-{cert_index}.crt",
        "ca_cert_config": None,
        "ca_cert_update_cmd": ["update-ca-certificates"],
    },
}

for distro in (
    "opensuse-microos",
    "opensuse-tumbleweed",
    "opensuse-leap",
    "sle_hpc",
    "sle-micro",
    "sles",
):
    DISTRO_OVERRIDES[distro] = DISTRO_OVERRIDES["opensuse"]

for distro in (
    "almalinux",
    "cloudlinux",
):
    DISTRO_OVERRIDES[distro] = DISTRO_OVERRIDES["rhel"]

MODULE_DESCRIPTION = """\
This module adds CA certificates to the system's CA store and updates any
related files using the appropriate OS-specific utility. The default CA
certificates can be disabled/deleted from use by the system with the
configuration option ``remove_defaults``.

.. note::
    certificates must be specified using valid yaml. in order to specify a
    multiline certificate, the yaml multiline list syntax must be used

.. note::
    Alpine Linux requires the ca-certificates package to be installed in
    order to provide the ``update-ca-certificates`` command.
"""
distros = [
    "almalinux",
    "cloudlinux",
    "alpine",
    "debian",
    "fedora",
    "rhel",
    "opensuse",
    "opensuse-microos",
    "opensuse-tumbleweed",
    "opensuse-leap",
    "sle_hpc",
    "sle-micro",
    "sles",
    "ubuntu",
]

meta: MetaSchema = {
    "id": "cc_ca_certs",
    "name": "CA Certificates",
    "title": "Add ca certificates",
    "description": MODULE_DESCRIPTION,
    "distros": distros,
    "frequency": PER_INSTANCE,
    "examples": [
        dedent(
            """\
            ca_certs:
              remove_defaults: true
              trusted:
                - single_line_cert
                - |
                  -----BEGIN CERTIFICATE-----
                  YOUR-ORGS-TRUSTED-CA-CERT-HERE
                  -----END CERTIFICATE-----
            """
        )
    ],
    "activate_by_schema_keys": ["ca_certs", "ca-certs"],
}

__doc__ = get_meta_doc(meta)


def _distro_ca_certs_configs(distro_name):
    """Return a distro-specific ca_certs config dictionary

    @param distro_name: String providing the distro class name.
    @returns: Dict of distro configurations for ca_cert.
    """
    cfg = DISTRO_OVERRIDES.get(distro_name, DEFAULT_CONFIG)
    cfg["ca_cert_full_path"] = os.path.join(
        cfg["ca_cert_local_path"], cfg["ca_cert_filename"]
    )
    return cfg


def update_ca_certs(distro_cfg):
    """
    Updates the CA certificate cache on the current machine.

    @param distro_cfg: A hash providing _distro_ca_certs_configs function.
    """
    subp.subp(distro_cfg["ca_cert_update_cmd"], capture=False)


def add_ca_certs(distro_cfg, certs):
    """
    Adds certificates to the system. To actually apply the new certificates
    you must also call the appropriate distro-specific utility such as
    L{update_ca_certs}.

    @param distro_cfg: A hash providing _distro_ca_certs_configs function.
    @param certs: A list of certificate strings.
    """
    if not certs:
        return
    # Write each certificate to a separate file.
    for cert_index, c in enumerate(certs, 1):
        # First ensure they are strings...
        cert_file_contents = str(c)
        cert_file_name = distro_cfg["ca_cert_full_path"].format(
            cert_index=cert_index
        )
        util.write_file(cert_file_name, cert_file_contents, mode=0o644)


def disable_default_ca_certs(distro_name, distro_cfg):
    """
    Disables all default trusted CA certificates. For Alpine, Debian and
    Ubuntu to actually apply the changes you must also call
    L{update_ca_certs}.

    @param distro_name: String providing the distro class name.
    @param distro_cfg: A hash providing _distro_ca_certs_configs function.
    """
    if distro_name == "rhel":
        remove_default_ca_certs(distro_cfg)
    elif distro_name in ["alpine", "debian", "ubuntu"]:
        disable_system_ca_certs(distro_cfg)

        if distro_name in ["debian", "ubuntu"]:
            debconf_sel = (
                "ca-certificates ca-certificates/trust_new_crts " + "select no"
            )
            subp.subp(("debconf-set-selections", "-"), data=debconf_sel)


def disable_system_ca_certs(distro_cfg):
    """
    For every entry in the CA_CERT_CONFIG file prefix the entry with a "!"
    in order to disable it.

    @param distro_cfg: A hash providing _distro_ca_certs_configs function.
    """

    ca_cert_cfg_fn = distro_cfg["ca_cert_config"]

    if not ca_cert_cfg_fn or not os.path.exists(ca_cert_cfg_fn):
        return

    header_comment = (
        "# Modified by cloud-init to deselect certs due to user-data"
    )

    added_header = False

    if os.stat(ca_cert_cfg_fn).st_size:
        orig = util.load_file(ca_cert_cfg_fn)
        out_lines = []
        for line in orig.splitlines():
            if line == header_comment:
                added_header = True
                out_lines.append(line)
            elif line == "" or line[0] in ("#", "!"):
                out_lines.append(line)
            else:
                if not added_header:
                    out_lines.append(header_comment)
                    added_header = True
                out_lines.append("!" + line)

        util.write_file(
            ca_cert_cfg_fn, "\n".join(out_lines) + "\n", omode="wb"
        )


def remove_default_ca_certs(distro_cfg):
    """
    Removes all default trusted CA certificates from the system.

    @param distro_cfg: A hash providing _distro_ca_certs_configs function.
    """
    if distro_cfg["ca_cert_path"] is None:
        return

    LOG.debug("Deleting system CA certificates")
    util.delete_dir_contents(distro_cfg["ca_cert_path"])
    util.delete_dir_contents(distro_cfg["ca_cert_local_path"])


def handle(name: str, cfg: Config, cloud: Cloud, args: list) -> None:
    """
    Call to handle ca_cert sections in cloud-config file.

    @param name: The module name "ca_cert" from cloud.cfg
    @param cfg: A nested dict containing the entire cloud config contents.
    @param cloud: The L{CloudInit} object in use.
    @param log: Pre-initialized Python logger object to use for logging.
    @param args: Any module arguments from cloud.cfg
    """
    if "ca-certs" in cfg:
        util.deprecate(
            deprecated="Key 'ca-certs'",
            deprecated_version="22.1",
            extra_message="Use 'ca_certs' instead.",
        )
    elif "ca_certs" not in cfg:
        LOG.debug(
            "Skipping module named %s, no 'ca_certs' key in configuration",
            name,
        )
        return

    if "ca-certs" in cfg and "ca_certs" in cfg:
        LOG.warning(
            "Found both ca-certs (deprecated) and ca_certs config keys."
            " Ignoring ca-certs."
        )
    ca_cert_cfg = cfg.get("ca_certs", cfg.get("ca-certs"))
    distro_cfg = _distro_ca_certs_configs(cloud.distro.name)

    # If there is a remove_defaults option set to true, disable the system
    # default trusted CA certs first.
    if "remove-defaults" in ca_cert_cfg:
        util.deprecate(
            deprecated="Key 'remove-defaults'",
            deprecated_version="22.1",
            extra_message="Use 'remove_defaults' instead.",
        )
    if ca_cert_cfg.get(
        "remove_defaults", ca_cert_cfg.get("remove-defaults", False)
    ):
        LOG.debug("Disabling/removing default certificates")
        disable_default_ca_certs(cloud.distro.name, distro_cfg)

    # If we are given any new trusted CA certs to add, add them.
    if "trusted" in ca_cert_cfg:
        trusted_certs = util.get_cfg_option_list(ca_cert_cfg, "trusted")
        if trusted_certs:
            LOG.debug("Adding %d certificates", len(trusted_certs))
            add_ca_certs(distro_cfg, trusted_certs)

    # Update the system with the new cert configuration.
    LOG.debug("Updating certificates")
    update_ca_certs(distro_cfg)

Directory Contents

Dirs: 2 × Files: 64
Name Size Perms Modified Actions
schemas DIR
- drwxr-xr-x 2026-01-24 23:01:14
Edit Download
__pycache__ DIR
- drwxr-xr-x 2026-01-24 23:01:14
Edit Download
cc_ansible.py
8.69 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_apk_configure.py
5.66 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_apt_configure.py
41.99 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_apt_pipelining.py
2.71 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_bootcmd.py
2.85 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_byobu.py
3.65 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_ca_certs.py
9.13 KB lrw-r--r-- 2026-01-23 08:56:46
Edit Download
cc_chef.py
13.77 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_disable_ec2_metadata.py
2.03 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_disk_setup.py
32.36 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_fan.py
3.02 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_final_message.py
3.39 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_growpart.py
21.03 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_grub_dpkg.py
6.65 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_install_hotplug.py
3.81 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_keyboard.py
2.38 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_keys_to_console.py
3.61 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_landscape.py
5.31 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_locale.py
1.86 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_lxd.py
18.14 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_mcollective.py
6.10 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_migrator.py
3.49 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_mounts.py
19.71 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_ntp.py
20.84 KB lrw-r--r-- 2026-01-23 08:56:46
Edit Download
cc_package_update_upgrade_install.py
4.54 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_phone_home.py
5.48 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_power_state_change.py
7.41 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_puppet.py
14.10 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_reset_rmc.py
4.47 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_resizefs.py
10.73 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_resolv_conf.py
4.98 KB lrw-r--r-- 2026-01-23 08:56:46
Edit Download
cc_rh_subscription.py
16.97 KB lrw-r--r-- 2026-01-23 08:56:46
Edit Download
cc_rightscale_userdata.py
4.28 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_rsyslog.py
13.48 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_runcmd.py
2.90 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_salt_minion.py
5.88 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_scripts_per_boot.py
1.66 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_scripts_per_instance.py
1.81 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_scripts_per_once.py
1.76 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_scripts_user.py
1.85 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_scripts_vendor.py
2.29 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_seed_random.py
4.72 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_set_hostname.py
5.13 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_set_passwords.py
10.97 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_snap.py
6.30 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_spacewalk.py
3.43 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_ssh.py
14.86 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_ssh_authkey_fingerprints.py
4.22 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_ssh_import_id.py
6.12 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_timezone.py
1.46 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_ubuntu_advantage.py
17.00 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_ubuntu_autoinstall.py
4.50 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_ubuntu_drivers.py
4.56 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_update_etc_hosts.py
5.16 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_update_hostname.py
3.87 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_users_groups.py
8.57 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_wireguard.py
9.22 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_write_files.py
6.66 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_write_files_deferred.py
1.68 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_yum_add_repo.py
7.45 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
cc_zypper_add_repo.py
6.59 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
modules.py
11.74 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
schema.py
54.85 KB lrw-r--r-- 2023-12-04 11:47:40
Edit Download
__init__.py
14 B lrw-r--r-- 2023-12-04 11:47:40
Edit Download
If ZipArchive is unavailable, a .tar will be created (no compression).
© 2026 REDROOM — Secure File Manager. All rights reserved. Built with ❤️ & Red Dark UI